HUMAN’s Satori threat intelligence team has mapped and taken down a massive malvertizing operation they named ‘VASTFLUX.’
At its peak, VASTFLUX generated 12 billion bid requests, and over the course of its operation, it spoofed over 1,700 applications and 120 publishers, and ran inside 11 million compromised devices.
While fraudulent ads might not directly threaten the privacy and security of mobile users, they still degrade their experience, cause significant stretch on their battery consumption, and incur unnecessary data charges.
Keeping the Scheme Invisible
The goal of the VASTFLUX scheme was to inject scripts into banner ads within applications that decrypted ad configurations and contacted a command and control (C2) server to acquire further instructions like what ad to display on the hijacked banner.
HUMAN’s post explains that VASTFLUX evaded detection for an extensive period of time by deploying code that prevented the discovery of the scheme, and by not using ad verification tags, indicating that the fraudsters behind this operation possess an in-depth understanding of the digital advertising ecosystem.
Ad verification tags are small code snippets embedded in digital ads to allow marketers to measure performance. Third-party verification companies also use them to generate metrics like viewability, click-through rates, etc.
By not using ad verification tags, VASTFLUX remained essentially invisible despite its massive size.
Moreover, the C2 sent instructions to the injected scripts on how to spoof the publisher and app ID, which helped minimize the chances of being detected.
Taking Down VASTFLUX
The Satori team discovered VASTFLUX almost by mistake while investigating a different malvertizing fraud scheme when they noticed that an app under examination in their lab generated multiple bid requests using different app IDs.
Next, they collaborated with the HUMAN community to get additional insight into the scheme, appreciate its size, map it, identify all traffic sources, etc.
“From late June into July, HUMAN carried out three distinct mitigation responses to fight VASTFLUX. The first cut VASTFLUX traffic dramatically, but resulted in the bad actors adapting. The second, only a few days after the first, reduced VASTFLUX traffic to fewer than a billion requests a day: a 92% reduction from the operation’s peak. The third, about two weeks after the first response, further impaired VASTFLUX activity.”HUMAN
After that, Satori informed the abused organizations to orchestrate a broader and more coordinated action against the fraud scheme. VASTFLUX responded by taking down the C2 servers, likely fearing identification and prosecution.
Signs of Adware
From the user’s perspective, in-app ads are part of the ordinary and expected experience, and malicious hijacks that generate revenue for malvertizing campaign operators aren’t easily discernible.
However, if you notice unusually high battery consumption by certain apps, inexplicable performance slow-downs, random device screen light-ups, and increased data usage, it might indicate that adware is running on your device.